With Canadian businesses rapidly transitioning their operations exclusively to remote online environments in response to COVID-19, information security has never been more critical. To safeguard teams and organizations now working remotely – some for the first time ever – CWB’s Chief Information Security Officer Cory Gould offers businesses the following advice and best practices to keep their data and assets safe.
Be aware of suspicious emails
E-mail phishing remains the tried-and-true method that hackers use to exploit unsuspecting targets. Fraudsters send emails with malicious files or links that, when downloaded or clicked, can compromise a user or business. “They’re much more effective when they leverage world events like COVID-19 to convince us that an email is legitimate.” The method has become more sophisticated, too. “We’re seeing a trend towards personalized messages, which is much more effective in tricking people to download malicious attachments or follow links,” explains Cory.
Opportunistic hackers are posing as someone the target knows and trusts, perhaps another business owner or colleague, in an effort to gain access to passwords or accounts. And as legitimate directions are sent through email now more than ever, hackers are taking advantage. “Once compromised, they masquerade as the owner of the email account and instruct staff to redirect funds, pay invoices or execute bank wire transactions to an unusual bank account.”
To combat this, Cory stresses one word: caution. “We need to be cautious with the instructions we receive, following up and validating before we act, especially when they concern moving money.” Even if something seems only a little bit off, let people know. “Don’t be afraid to call-out something that doesn’t seem the norm.”
Best practices to stay safe
Business owners and individuals alike can enact the following safeguards while moving to largely digital work processes. And always remember, sound information security starts with you. “First and foremost, trust your gut,” Cory emphasizes. “If something doesn’t seem right, ask.”
- Set up notifications and triggers when actions occur in your online bank account. These can prompt you when a new payment is made or a new credit card is registered. (CWB Pro Tip: Find this feature in ‘Messages and Alerts’ in the left-hand navigation bar of CWBdirect Online Banking)
- If multiple people in your organization make payments and manage cash flow, use unique identities in your payment systems. “If you have a dozen staff in your company for accounts payables, make sure each person has a unique identity,” says Cory.
- Be alert to terms or language a sender might not normally use. “Pay attention to the norms,” advises Cory. Your customers likely use familiar language and give consistent instructions, so if anything feels off in their email communication, trust your instincts and validate the message with a colleague or superior.
- Use multi-factor authentication whenever possible. Adding the complexity of a randomly generated token for accessing your email or social media accounts significantly bolsters security. Consider cloud services like Office 365 or Google’s suite of business apps.
- Make sure all of your business systems are patched and updated, and use anti-malware software on all your devices.
- Don’t repeat your passwords “It’s a very common mistake to use the same password for Facebook as you would for your online bank account,” Cory states. “Separate your social behaviours from your business transactions online.”
What your employees should know about working from home
Moving entirely to a remote working environment can be a shock for even the most prepared organizations. With that in mind, there are simple steps a business can take to help their employees maintain information security, especially while at home.
First, a ‘clean desk policy’ is easy to implement in any home office. “When you’re working with private, confidential information in a new environment, you have to remember to practice extra caution,” says Cory. “If you print stuff out, shred it. Use business email addresses and not personal email addresses. If you save a file, make sure it’s not on your personal desktop. Always think twice about downloading and sending information, especially if you have multiple people in the home using the same devices or networks.”
Furthermore, Cory recommends using business issued devices rather than personal ones for your business actions where possible. “This keeps your business and home activities separate, and provides less opportunity for misuse of data from a malicious outside source or an internal accident.”
Most importantly, Cory emphasizes due diligence when you’re considering the tools to transition to remote work and how you manage your work and personal devices. For example, if you want to move your business into a cloud or hosted model, identify the key data and services you want to transfer. And if you’re not sure how these systems work, seek professional and legal advice, as there are multiple elements to consider, including data ownership, access and other legal factors.
“By moving to online services and remote work arrangements, you’re not deferring your risk — the business you conduct in an online fashion is still yours to own,” says Cory. “You’re obligated to your staff to do this correctly. Seek out professional and legal advice if something is unfamiliar or particularly sensitive.”
Want more information on cybersecurity? The Canadian Centre for Cyber Security posts alerts and advisories, telework security tips, and tools and services to help protect you as a business owner and an individual.